From e0dba3c902ec1c344095d4517df0c39e9dcf1984 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 21 Sep 2025 15:01:01 +0200 Subject: [PATCH] 6.6-stable patches added patches: alsa-hda-realtek-fix-mute-led-for-hp-laptop-15-dw4xx.patch asoc-qcom-audioreach-fix-lpaif_type-configuration-for-the-i2s-interface.patch asoc-qcom-q6apm-lpass-dais-fix-missing-set_fmt-dai-op-for-i2s.patch asoc-qcom-q6apm-lpass-dais-fix-null-pointer-dereference-if-source-graph-failed.patch btrfs-tree-checker-fix-the-incorrect-inode-ref-size-check.patch crypto-af_alg-disallow-concurrent-writes-in-af_alg_sendmsg.patch io_uring-backport-io_should_terminate_tw.patch io_uring-include-dying-ring-in-task_work-should-cancel-state.patch iommu-vt-d-fix-__domain_mapping-s-usage-of-switch_to_super_page.patch ksmbd-smbdirect-validate-data_offset-and-data_length-field-of-smb_direct_data_transfer.patch ksmbd-smbdirect-verify-remaining_data_length-respects-max_fragmented_recv_size.patch kvm-svm-sync-tpr-from-lapic-into-vmcb-v_tpr-even-if-avic-is-active.patch loongarch-align-acpi-structures-if-arch_strict_align-enabled.patch loongarch-check-the-return-value-when-creating-kobj.patch loongarch-update-help-info-of-arch_strict_align.patch mmc-mvsdio-fix-dma_unmap_sg-nents-value.patch net-rfkill-gpio-fix-crash-due-to-dereferencering-uninitialized-pointer.patch nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch power-supply-bq27xxx-fix-error-return-in-case-of-no-bq27000-hdq-battery.patch power-supply-bq27xxx-restrict-no-battery-detection-to-bq27000.patch rds-ib-increment-i_fastreg_wrs-before-bailing-out.patch selftests-mptcp-avoid-spurious-errors-on-tcp-disconnect.patch selftests-mptcp-connect-catch-io-errors-on-listen-side.patch --- ...-fix-mute-led-for-hp-laptop-15-dw4xx.patch | 30 ++++++ ...-configuration-for-the-i2s-interface.patch | 34 +++++++ ...s-fix-missing-set_fmt-dai-op-for-i2s.patch | 35 +++++++ ...r-dereference-if-source-graph-failed.patch | 55 +++++++++++ ...x-the-incorrect-inode-ref-size-check.patch | 52 ++++++++++ ...-concurrent-writes-in-af_alg_sendmsg.patch | 76 +++++++++++++++ ...ring-backport-io_should_terminate_tw.patch | 78 +++++++++++++++ ...ing-in-task_work-should-cancel-state.patch | 82 ++++++++++++++++ ...ping-s-usage-of-switch_to_super_page.patch | 67 +++++++++++++ ...th-field-of-smb_direct_data_transfer.patch | 58 +++++++++++ ...th-respects-max_fragmented_recv_size.patch | 59 ++++++++++++ ...to-vmcb-v_tpr-even-if-avic-is-active.patch | 56 +++++++++++ ...uctures-if-arch_strict_align-enabled.patch | 41 ++++++++ ...-the-return-value-when-creating-kobj.patch | 31 ++++++ ...pdate-help-info-of-arch_strict_align.patch | 43 +++++++++ ...-mvsdio-fix-dma_unmap_sg-nents-value.patch | 33 +++++++ ...ereferencering-uninitialized-pointer.patch | 56 +++++++++++ ...hen-accessing-sys-fs-nilfs2-features.patch | 95 +++++++++++++++++++ ...rn-in-case-of-no-bq27000-hdq-battery.patch | 66 +++++++++++++ ...rict-no-battery-detection-to-bq27000.patch | 48 ++++++++++ ...ent-i_fastreg_wrs-before-bailing-out.patch | 82 ++++++++++++++++ ...id-spurious-errors-on-tcp-disconnect.patch | 93 ++++++++++++++++++ ...nnect-catch-io-errors-on-listen-side.patch | 71 ++++++++++++++ queue-6.6/series | 23 +++++ 24 files changed, 1364 insertions(+) create mode 100644 queue-6.6/alsa-hda-realtek-fix-mute-led-for-hp-laptop-15-dw4xx.patch create mode 100644 queue-6.6/asoc-qcom-audioreach-fix-lpaif_type-configuration-for-the-i2s-interface.patch create mode 100644 queue-6.6/asoc-qcom-q6apm-lpass-dais-fix-missing-set_fmt-dai-op-for-i2s.patch create mode 100644 queue-6.6/asoc-qcom-q6apm-lpass-dais-fix-null-pointer-dereference-if-source-graph-failed.patch create mode 100644 queue-6.6/btrfs-tree-checker-fix-the-incorrect-inode-ref-size-check.patch create mode 100644 queue-6.6/crypto-af_alg-disallow-concurrent-writes-in-af_alg_sendmsg.patch create mode 100644 queue-6.6/io_uring-backport-io_should_terminate_tw.patch create mode 100644 queue-6.6/io_uring-include-dying-ring-in-task_work-should-cancel-state.patch create mode 100644 queue-6.6/iommu-vt-d-fix-__domain_mapping-s-usage-of-switch_to_super_page.patch create mode 100644 queue-6.6/ksmbd-smbdirect-validate-data_offset-and-data_length-field-of-smb_direct_data_transfer.patch create mode 100644 queue-6.6/ksmbd-smbdirect-verify-remaining_data_length-respects-max_fragmented_recv_size.patch create mode 100644 queue-6.6/kvm-svm-sync-tpr-from-lapic-into-vmcb-v_tpr-even-if-avic-is-active.patch create mode 100644 queue-6.6/loongarch-align-acpi-structures-if-arch_strict_align-enabled.patch create mode 100644 queue-6.6/loongarch-check-the-return-value-when-creating-kobj.patch create mode 100644 queue-6.6/loongarch-update-help-info-of-arch_strict_align.patch create mode 100644 queue-6.6/mmc-mvsdio-fix-dma_unmap_sg-nents-value.patch create mode 100644 queue-6.6/net-rfkill-gpio-fix-crash-due-to-dereferencering-uninitialized-pointer.patch create mode 100644 queue-6.6/nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch create mode 100644 queue-6.6/power-supply-bq27xxx-fix-error-return-in-case-of-no-bq27000-hdq-battery.patch create mode 100644 queue-6.6/power-supply-bq27xxx-restrict-no-battery-detection-to-bq27000.patch create mode 100644 queue-6.6/rds-ib-increment-i_fastreg_wrs-before-bailing-out.patch create mode 100644 queue-6.6/selftests-mptcp-avoid-spurious-errors-on-tcp-disconnect.patch create mode 100644 queue-6.6/selftests-mptcp-connect-catch-io-errors-on-listen-side.patch diff --git a/queue-6.6/alsa-hda-realtek-fix-mute-led-for-hp-laptop-15-dw4xx.patch b/queue-6.6/alsa-hda-realtek-fix-mute-led-for-hp-laptop-15-dw4xx.patch new file mode 100644 index 0000000000..8aa340e370 --- /dev/null +++ b/queue-6.6/alsa-hda-realtek-fix-mute-led-for-hp-laptop-15-dw4xx.patch @@ -0,0 +1,30 @@ +From d33c3471047fc54966621d19329e6a23ebc8ec50 Mon Sep 17 00:00:00 2001 +From: Praful Adiga +Date: Thu, 18 Sep 2025 12:40:18 -0400 +Subject: ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx + +From: Praful Adiga + +commit d33c3471047fc54966621d19329e6a23ebc8ec50 upstream. + +This laptop uses the ALC236 codec with COEF 0x7 and idx 1 to +control the mute LED. Enable the existing quirk for this device. + +Signed-off-by: Praful Adiga +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -10161,6 +10161,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x103c, 0x8992, "HP EliteBook 845 G9", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8994, "HP EliteBook 855 G9", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8995, "HP EliteBook 855 G9", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x103c, 0x89a0, "HP Laptop 15-dw4xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x89a4, "HP ProBook 440 G9", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x89a6, "HP ProBook 450 G9", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x89aa, "HP EliteBook 630 G9", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-6.6/asoc-qcom-audioreach-fix-lpaif_type-configuration-for-the-i2s-interface.patch b/queue-6.6/asoc-qcom-audioreach-fix-lpaif_type-configuration-for-the-i2s-interface.patch new file mode 100644 index 0000000000..88bdac620b --- /dev/null +++ b/queue-6.6/asoc-qcom-audioreach-fix-lpaif_type-configuration-for-the-i2s-interface.patch @@ -0,0 +1,34 @@ +From 5f1af203ef964e7f7bf9d32716dfa5f332cc6f09 Mon Sep 17 00:00:00 2001 +From: Mohammad Rafi Shaik +Date: Mon, 8 Sep 2025 11:06:29 +0530 +Subject: ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface + +From: Mohammad Rafi Shaik + +commit 5f1af203ef964e7f7bf9d32716dfa5f332cc6f09 upstream. + +Fix missing lpaif_type configuration for the I2S interface. +The proper lpaif interface type required to allow DSP to vote +appropriate clock setting for I2S interface. + +Fixes: 25ab80db6b133 ("ASoC: qdsp6: audioreach: add module configuration command helpers") +Cc: stable@vger.kernel.org +Reviewed-by: Srinivas Kandagatla +Signed-off-by: Mohammad Rafi Shaik +Message-ID: <20250908053631.70978-2-mohammad.rafi.shaik@oss.qualcomm.com> +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/audioreach.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/qcom/qdsp6/audioreach.c ++++ b/sound/soc/qcom/qdsp6/audioreach.c +@@ -967,6 +967,7 @@ static int audioreach_i2s_set_media_form + param_data->param_id = PARAM_ID_I2S_INTF_CFG; + param_data->param_size = ic_sz - APM_MODULE_PARAM_DATA_SIZE; + ++ intf_cfg->cfg.lpaif_type = module->hw_interface_type; + intf_cfg->cfg.intf_idx = module->hw_interface_idx; + intf_cfg->cfg.sd_line_idx = module->sd_line_idx; + diff --git a/queue-6.6/asoc-qcom-q6apm-lpass-dais-fix-missing-set_fmt-dai-op-for-i2s.patch b/queue-6.6/asoc-qcom-q6apm-lpass-dais-fix-missing-set_fmt-dai-op-for-i2s.patch new file mode 100644 index 0000000000..c27604a353 --- /dev/null +++ b/queue-6.6/asoc-qcom-q6apm-lpass-dais-fix-missing-set_fmt-dai-op-for-i2s.patch @@ -0,0 +1,35 @@ +From 33b55b94bca904ca25a9585e3cd43d15f0467969 Mon Sep 17 00:00:00 2001 +From: Mohammad Rafi Shaik +Date: Mon, 8 Sep 2025 11:06:30 +0530 +Subject: ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S + +From: Mohammad Rafi Shaik + +commit 33b55b94bca904ca25a9585e3cd43d15f0467969 upstream. + +The q6i2s_set_fmt() function was defined but never linked into the +I2S DAI operations, resulting DAI format settings is being ignored +during stream setup. This change fixes the issue by properly linking +the .set_fmt handler within the DAI ops. + +Fixes: 30ad723b93ade ("ASoC: qdsp6: audioreach: add q6apm lpass dai support") +Cc: stable@vger.kernel.org +Reviewed-by: Srinivas Kandagatla +Signed-off-by: Mohammad Rafi Shaik +Message-ID: <20250908053631.70978-3-mohammad.rafi.shaik@oss.qualcomm.com> +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c ++++ b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c +@@ -256,6 +256,7 @@ static const struct snd_soc_dai_ops q6i2 + .shutdown = q6apm_lpass_dai_shutdown, + .set_channel_map = q6dma_set_channel_map, + .hw_params = q6dma_hw_params, ++ .set_fmt = q6i2s_set_fmt, + }; + + static const struct snd_soc_dai_ops q6hdmi_ops = { diff --git a/queue-6.6/asoc-qcom-q6apm-lpass-dais-fix-null-pointer-dereference-if-source-graph-failed.patch b/queue-6.6/asoc-qcom-q6apm-lpass-dais-fix-null-pointer-dereference-if-source-graph-failed.patch new file mode 100644 index 0000000000..ccb578eebc --- /dev/null +++ b/queue-6.6/asoc-qcom-q6apm-lpass-dais-fix-null-pointer-dereference-if-source-graph-failed.patch @@ -0,0 +1,55 @@ +From 68f27f7c7708183e7873c585ded2f1b057ac5b97 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 4 Sep 2025 12:18:50 +0200 +Subject: ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed + +From: Krzysztof Kozlowski + +commit 68f27f7c7708183e7873c585ded2f1b057ac5b97 upstream. + +If earlier opening of source graph fails (e.g. ADSP rejects due to +incorrect audioreach topology), the graph is closed and +"dai_data->graph[dai->id]" is assigned NULL. Preparing the DAI for sink +graph continues though and next call to q6apm_lpass_dai_prepare() +receives dai_data->graph[dai->id]=NULL leading to NULL pointer +exception: + + qcom-apm gprsvc:service:2:1: Error (1) Processing 0x01001002 cmd + qcom-apm gprsvc:service:2:1: DSP returned error[1001002] 1 + q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: fail to start APM port 78 + q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: ASoC: error at snd_soc_pcm_dai_prepare on TX_CODEC_DMA_TX_3: -22 + Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8 + ... + Call trace: + q6apm_graph_media_format_pcm+0x48/0x120 (P) + q6apm_lpass_dai_prepare+0x110/0x1b4 + snd_soc_pcm_dai_prepare+0x74/0x108 + __soc_pcm_prepare+0x44/0x160 + dpcm_be_dai_prepare+0x124/0x1c0 + +Fixes: 30ad723b93ad ("ASoC: qdsp6: audioreach: add q6apm lpass dai support") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Srinivas Kandagatla +Message-ID: <20250904101849.121503-2-krzysztof.kozlowski@linaro.org> +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c ++++ b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c +@@ -207,8 +207,10 @@ static int q6apm_lpass_dai_prepare(struc + + return 0; + err: +- q6apm_graph_close(dai_data->graph[dai->id]); +- dai_data->graph[dai->id] = NULL; ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { ++ q6apm_graph_close(dai_data->graph[dai->id]); ++ dai_data->graph[dai->id] = NULL; ++ } + return rc; + } + diff --git a/queue-6.6/btrfs-tree-checker-fix-the-incorrect-inode-ref-size-check.patch b/queue-6.6/btrfs-tree-checker-fix-the-incorrect-inode-ref-size-check.patch new file mode 100644 index 0000000000..d0f24e8b7b --- /dev/null +++ b/queue-6.6/btrfs-tree-checker-fix-the-incorrect-inode-ref-size-check.patch @@ -0,0 +1,52 @@ +From 96fa515e70f3e4b98685ef8cac9d737fc62f10e1 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 16 Sep 2025 07:54:06 +0930 +Subject: btrfs: tree-checker: fix the incorrect inode ref size check + +From: Qu Wenruo + +commit 96fa515e70f3e4b98685ef8cac9d737fc62f10e1 upstream. + +[BUG] +Inside check_inode_ref(), we need to make sure every structure, +including the btrfs_inode_extref header, is covered by the item. But +our code is incorrectly using "sizeof(iref)", where @iref is just a +pointer. + +This means "sizeof(iref)" will always be "sizeof(void *)", which is much +smaller than "sizeof(struct btrfs_inode_extref)". + +This will allow some bad inode extrefs to sneak in, defeating tree-checker. + +[FIX] +Fix the typo by calling "sizeof(*iref)", which is the same as +"sizeof(struct btrfs_inode_extref)", and will be the correct behavior we +want. + +Fixes: 71bf92a9b877 ("btrfs: tree-checker: Add check for INODE_REF") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Johannes Thumshirn +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-checker.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -1717,10 +1717,10 @@ static int check_inode_ref(struct extent + while (ptr < end) { + u16 namelen; + +- if (unlikely(ptr + sizeof(iref) > end)) { ++ if (unlikely(ptr + sizeof(*iref) > end)) { + inode_ref_err(leaf, slot, + "inode ref overflow, ptr %lu end %lu inode_ref_size %zu", +- ptr, end, sizeof(iref)); ++ ptr, end, sizeof(*iref)); + return -EUCLEAN; + } + diff --git a/queue-6.6/crypto-af_alg-disallow-concurrent-writes-in-af_alg_sendmsg.patch b/queue-6.6/crypto-af_alg-disallow-concurrent-writes-in-af_alg_sendmsg.patch new file mode 100644 index 0000000000..8cf7b17895 --- /dev/null +++ b/queue-6.6/crypto-af_alg-disallow-concurrent-writes-in-af_alg_sendmsg.patch @@ -0,0 +1,76 @@ +From 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Tue, 16 Sep 2025 17:20:59 +0800 +Subject: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg + +From: Herbert Xu + +commit 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 upstream. + +Issuing two writes to the same af_alg socket is bogus as the +data will be interleaved in an unpredictable fashion. Furthermore, +concurrent writes may create inconsistencies in the internal +socket state. + +Disallow this by adding a new ctx->write field that indiciates +exclusive ownership for writing. + +Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") +Reported-by: Muhammad Alifa Ramdhan +Reported-by: Bing-Jhong Billy Jheng +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/af_alg.c | 7 +++++++ + include/crypto/if_alg.h | 10 ++++++---- + 2 files changed, 13 insertions(+), 4 deletions(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -969,6 +969,12 @@ int af_alg_sendmsg(struct socket *sock, + } + + lock_sock(sk); ++ if (ctx->write) { ++ release_sock(sk); ++ return -EBUSY; ++ } ++ ctx->write = true; ++ + if (ctx->init && !ctx->more) { + if (ctx->used) { + err = -EINVAL; +@@ -1103,6 +1109,7 @@ int af_alg_sendmsg(struct socket *sock, + + unlock: + af_alg_data_wakeup(sk); ++ ctx->write = false; + release_sock(sk); + + return copied ?: err; +--- a/include/crypto/if_alg.h ++++ b/include/crypto/if_alg.h +@@ -134,6 +134,7 @@ struct af_alg_async_req { + * SG? + * @enc: Cryptographic operation to be performed when + * recvmsg is invoked. ++ * @write: True if we are in the middle of a write. + * @init: True if metadata has been sent. + * @len: Length of memory allocated for this data structure. + * @inflight: Non-zero when AIO requests are in flight. +@@ -149,10 +150,11 @@ struct af_alg_ctx { + size_t used; + atomic_t rcvused; + +- bool more; +- bool merge; +- bool enc; +- bool init; ++ u32 more:1, ++ merge:1, ++ enc:1, ++ write:1, ++ init:1; + + unsigned int len; + diff --git a/queue-6.6/io_uring-backport-io_should_terminate_tw.patch b/queue-6.6/io_uring-backport-io_should_terminate_tw.patch new file mode 100644 index 0000000000..dc07bba28d --- /dev/null +++ b/queue-6.6/io_uring-backport-io_should_terminate_tw.patch @@ -0,0 +1,78 @@ +From a4f4390cd3ce0a339754655f8210cfe33465e3c8 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 18 Sep 2025 11:27:06 -0600 +Subject: io_uring: backport io_should_terminate_tw() + +From: Jens Axboe + +Parts of commit b6f58a3f4aa8dba424356c7a69388a81f4459300 upstream. + +Backport io_should_terminate_tw() helper to judge whether task_work +should be run or terminated. + +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 3 +-- + io_uring/io_uring.h | 13 +++++++++++++ + io_uring/poll.c | 3 +-- + io_uring/timeout.c | 2 +- + 4 files changed, 16 insertions(+), 5 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1460,8 +1460,7 @@ static void io_req_task_cancel(struct io + void io_req_task_submit(struct io_kiocb *req, struct io_tw_state *ts) + { + io_tw_lock(req->ctx, ts); +- /* req->task == current here, checking PF_EXITING is safe */ +- if (unlikely(req->task->flags & PF_EXITING)) ++ if (unlikely(io_should_terminate_tw())) + io_req_defer_failed(req, -EFAULT); + else if (req->flags & REQ_F_FORCE_ASYNC) + io_queue_iowq(req); +--- a/io_uring/io_uring.h ++++ b/io_uring/io_uring.h +@@ -394,6 +394,19 @@ static inline bool io_allowed_run_tw(str + ctx->submitter_task == current); + } + ++/* ++ * Terminate the request if either of these conditions are true: ++ * ++ * 1) It's being executed by the original task, but that task is marked ++ * with PF_EXITING as it's exiting. ++ * 2) PF_KTHREAD is set, in which case the invoker of the task_work is ++ * our fallback task_work. ++ */ ++static inline bool io_should_terminate_tw(void) ++{ ++ return current->flags & (PF_KTHREAD | PF_EXITING); ++} ++ + static inline void io_req_queue_tw_complete(struct io_kiocb *req, s32 res) + { + io_req_set_res(req, res, 0); +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -258,8 +258,7 @@ static int io_poll_check_events(struct i + { + int v; + +- /* req->task == current here, checking PF_EXITING is safe */ +- if (unlikely(req->task->flags & PF_EXITING)) ++ if (unlikely(io_should_terminate_tw())) + return -ECANCELED; + + do { +--- a/io_uring/timeout.c ++++ b/io_uring/timeout.c +@@ -307,7 +307,7 @@ static void io_req_task_link_timeout(str + int ret = -ENOENT; + + if (prev) { +- if (!(req->task->flags & PF_EXITING)) { ++ if (!io_should_terminate_tw()) { + struct io_cancel_data cd = { + .ctx = req->ctx, + .data = prev->cqe.user_data, diff --git a/queue-6.6/io_uring-include-dying-ring-in-task_work-should-cancel-state.patch b/queue-6.6/io_uring-include-dying-ring-in-task_work-should-cancel-state.patch new file mode 100644 index 0000000000..18976bbfd6 --- /dev/null +++ b/queue-6.6/io_uring-include-dying-ring-in-task_work-should-cancel-state.patch @@ -0,0 +1,82 @@ +From 04a06705eb404dfc986171993c82d28a44c81402 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 18 Sep 2025 10:21:14 -0600 +Subject: io_uring: include dying ring in task_work "should cancel" state + +From: Jens Axboe + +Commit 3539b1467e94336d5854ebf976d9627bfb65d6c3 upstream. + +When running task_work for an exiting task, rather than perform the +issue retry attempt, the task_work is canceled. However, this isn't +done for a ring that has been closed. This can lead to requests being +successfully completed post the ring being closed, which is somewhat +confusing and surprising to an application. + +Rather than just check the task exit state, also include the ring +ref state in deciding whether or not to terminate a given request when +run from task_work. + +Cc: stable@vger.kernel.org # 6.1+ +Link: https://github.com/axboe/liburing/discussions/1459 +Reported-by: Benedek Thaler +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 6 ++++-- + io_uring/io_uring.h | 4 ++-- + io_uring/poll.c | 2 +- + io_uring/timeout.c | 2 +- + 4 files changed, 8 insertions(+), 6 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1459,8 +1459,10 @@ static void io_req_task_cancel(struct io + + void io_req_task_submit(struct io_kiocb *req, struct io_tw_state *ts) + { +- io_tw_lock(req->ctx, ts); +- if (unlikely(io_should_terminate_tw())) ++ struct io_ring_ctx *ctx = req->ctx; ++ ++ io_tw_lock(ctx, ts); ++ if (unlikely(io_should_terminate_tw(ctx))) + io_req_defer_failed(req, -EFAULT); + else if (req->flags & REQ_F_FORCE_ASYNC) + io_queue_iowq(req); +--- a/io_uring/io_uring.h ++++ b/io_uring/io_uring.h +@@ -402,9 +402,9 @@ static inline bool io_allowed_run_tw(str + * 2) PF_KTHREAD is set, in which case the invoker of the task_work is + * our fallback task_work. + */ +-static inline bool io_should_terminate_tw(void) ++static inline bool io_should_terminate_tw(struct io_ring_ctx *ctx) + { +- return current->flags & (PF_KTHREAD | PF_EXITING); ++ return (current->flags & (PF_KTHREAD | PF_EXITING)) || percpu_ref_is_dying(&ctx->refs); + } + + static inline void io_req_queue_tw_complete(struct io_kiocb *req, s32 res) +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -258,7 +258,7 @@ static int io_poll_check_events(struct i + { + int v; + +- if (unlikely(io_should_terminate_tw())) ++ if (unlikely(io_should_terminate_tw(req->ctx))) + return -ECANCELED; + + do { +--- a/io_uring/timeout.c ++++ b/io_uring/timeout.c +@@ -307,7 +307,7 @@ static void io_req_task_link_timeout(str + int ret = -ENOENT; + + if (prev) { +- if (!io_should_terminate_tw()) { ++ if (!io_should_terminate_tw(req->ctx)) { + struct io_cancel_data cd = { + .ctx = req->ctx, + .data = prev->cqe.user_data, diff --git a/queue-6.6/iommu-vt-d-fix-__domain_mapping-s-usage-of-switch_to_super_page.patch b/queue-6.6/iommu-vt-d-fix-__domain_mapping-s-usage-of-switch_to_super_page.patch new file mode 100644 index 0000000000..55bd276623 --- /dev/null +++ b/queue-6.6/iommu-vt-d-fix-__domain_mapping-s-usage-of-switch_to_super_page.patch @@ -0,0 +1,67 @@ +From dce043c07ca1ac19cfbe2844a6dc71e35c322353 Mon Sep 17 00:00:00 2001 +From: Eugene Koira +Date: Wed, 3 Sep 2025 13:53:29 +0800 +Subject: iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() + +From: Eugene Koira + +commit dce043c07ca1ac19cfbe2844a6dc71e35c322353 upstream. + +switch_to_super_page() assumes the memory range it's working on is aligned +to the target large page level. Unfortunately, __domain_mapping() doesn't +take this into account when using it, and will pass unaligned ranges +ultimately freeing a PTE range larger than expected. + +Take for example a mapping with the following iov_pfn range [0x3fe400, +0x4c0600), which should be backed by the following mappings: + + iov_pfn [0x3fe400, 0x3fffff] covered by 2MiB pages + iov_pfn [0x400000, 0x4bffff] covered by 1GiB pages + iov_pfn [0x4c0000, 0x4c05ff] covered by 2MiB pages + +Under this circumstance, __domain_mapping() will pass [0x400000, 0x4c05ff] +to switch_to_super_page() at a 1 GiB granularity, which will in turn +free PTEs all the way to iov_pfn 0x4fffff. + +Mitigate this by rounding down the iov_pfn range passed to +switch_to_super_page() in __domain_mapping() +to the target large page level. + +Additionally add range alignment checks to switch_to_super_page. + +Fixes: 9906b9352a35 ("iommu/vt-d: Avoid duplicate removing in __domain_mapping()") +Signed-off-by: Eugene Koira +Cc: stable@vger.kernel.org +Reviewed-by: Nicolas Saenz Julienne +Reviewed-by: David Woodhouse +Link: https://lore.kernel.org/r/20250826143816.38686-1-eugkoira@amazon.com +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel/iommu.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -2168,6 +2168,10 @@ static void switch_to_super_page(struct + struct dma_pte *pte = NULL; + unsigned long i; + ++ if (WARN_ON(!IS_ALIGNED(start_pfn, lvl_pages) || ++ !IS_ALIGNED(end_pfn + 1, lvl_pages))) ++ return; ++ + while (start_pfn <= end_pfn) { + if (!pte) + pte = pfn_to_dma_pte(domain, start_pfn, &level, +@@ -2241,7 +2245,8 @@ __domain_mapping(struct dmar_domain *dom + unsigned long pages_to_remove; + + pteval |= DMA_PTE_LARGE_PAGE; +- pages_to_remove = min_t(unsigned long, nr_pages, ++ pages_to_remove = min_t(unsigned long, ++ round_down(nr_pages, lvl_pages), + nr_pte_to_next_page(pte) * lvl_pages); + end_pfn = iov_pfn + pages_to_remove - 1; + switch_to_super_page(domain, iov_pfn, end_pfn, largepage_lvl); diff --git a/queue-6.6/ksmbd-smbdirect-validate-data_offset-and-data_length-field-of-smb_direct_data_transfer.patch b/queue-6.6/ksmbd-smbdirect-validate-data_offset-and-data_length-field-of-smb_direct_data_transfer.patch new file mode 100644 index 0000000000..60b897bb3d --- /dev/null +++ b/queue-6.6/ksmbd-smbdirect-validate-data_offset-and-data_length-field-of-smb_direct_data_transfer.patch @@ -0,0 +1,58 @@ +From 5282491fc49d5614ac6ddcd012e5743eecb6a67c Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Wed, 10 Sep 2025 11:22:52 +0900 +Subject: ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer + +From: Namjae Jeon + +commit 5282491fc49d5614ac6ddcd012e5743eecb6a67c upstream. + +If data_offset and data_length of smb_direct_data_transfer struct are +invalid, out of bounds issue could happen. +This patch validate data_offset and data_length field in recv_done. + +Cc: stable@vger.kernel.org +Fixes: 2ea086e35c3d ("ksmbd: add buffer validation for smb direct") +Reviewed-by: Stefan Metzmacher +Reported-by: Luigino Camastra, Aisle Research +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_rdma.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/fs/smb/server/transport_rdma.c ++++ b/fs/smb/server/transport_rdma.c +@@ -553,7 +553,7 @@ static void recv_done(struct ib_cq *cq, + case SMB_DIRECT_MSG_DATA_TRANSFER: { + struct smb_direct_data_transfer *data_transfer = + (struct smb_direct_data_transfer *)recvmsg->packet; +- unsigned int data_length; ++ unsigned int data_offset, data_length; + int avail_recvmsg_count, receive_credits; + + if (wc->byte_len < +@@ -564,14 +564,15 @@ static void recv_done(struct ib_cq *cq, + } + + data_length = le32_to_cpu(data_transfer->data_length); +- if (data_length) { +- if (wc->byte_len < sizeof(struct smb_direct_data_transfer) + +- (u64)data_length) { +- put_recvmsg(t, recvmsg); +- smb_direct_disconnect_rdma_connection(t); +- return; +- } ++ data_offset = le32_to_cpu(data_transfer->data_offset); ++ if (wc->byte_len < data_offset || ++ wc->byte_len < (u64)data_offset + data_length) { ++ put_recvmsg(t, recvmsg); ++ smb_direct_disconnect_rdma_connection(t); ++ return; ++ } + ++ if (data_length) { + if (t->full_packet_received) + recvmsg->first_segment = true; + diff --git a/queue-6.6/ksmbd-smbdirect-verify-remaining_data_length-respects-max_fragmented_recv_size.patch b/queue-6.6/ksmbd-smbdirect-verify-remaining_data_length-respects-max_fragmented_recv_size.patch new file mode 100644 index 0000000000..a293e15aa5 --- /dev/null +++ b/queue-6.6/ksmbd-smbdirect-verify-remaining_data_length-respects-max_fragmented_recv_size.patch @@ -0,0 +1,59 @@ +From e1868ba37fd27c6a68e31565402b154beaa65df0 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 11 Sep 2025 10:05:23 +0900 +Subject: ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size + +From: Stefan Metzmacher + +commit e1868ba37fd27c6a68e31565402b154beaa65df0 upstream. + +This is inspired by the check for data_offset + data_length. + +Cc: Steve French +Cc: Tom Talpey +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Cc: stable@vger.kernel.org +Fixes: 2ea086e35c3d ("ksmbd: add buffer validation for smb direct") +Acked-by: Namjae Jeon +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_rdma.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/transport_rdma.c ++++ b/fs/smb/server/transport_rdma.c +@@ -553,7 +553,7 @@ static void recv_done(struct ib_cq *cq, + case SMB_DIRECT_MSG_DATA_TRANSFER: { + struct smb_direct_data_transfer *data_transfer = + (struct smb_direct_data_transfer *)recvmsg->packet; +- unsigned int data_offset, data_length; ++ u32 remaining_data_length, data_offset, data_length; + int avail_recvmsg_count, receive_credits; + + if (wc->byte_len < +@@ -563,6 +563,7 @@ static void recv_done(struct ib_cq *cq, + return; + } + ++ remaining_data_length = le32_to_cpu(data_transfer->remaining_data_length); + data_length = le32_to_cpu(data_transfer->data_length); + data_offset = le32_to_cpu(data_transfer->data_offset); + if (wc->byte_len < data_offset || +@@ -570,6 +571,14 @@ static void recv_done(struct ib_cq *cq, + put_recvmsg(t, recvmsg); + smb_direct_disconnect_rdma_connection(t); + return; ++ } ++ if (remaining_data_length > t->max_fragmented_recv_size || ++ data_length > t->max_fragmented_recv_size || ++ (u64)remaining_data_length + (u64)data_length > ++ (u64)t->max_fragmented_recv_size) { ++ put_recvmsg(t, recvmsg); ++ smb_direct_disconnect_rdma_connection(t); ++ return; + } + + if (data_length) { diff --git a/queue-6.6/kvm-svm-sync-tpr-from-lapic-into-vmcb-v_tpr-even-if-avic-is-active.patch b/queue-6.6/kvm-svm-sync-tpr-from-lapic-into-vmcb-v_tpr-even-if-avic-is-active.patch new file mode 100644 index 0000000000..3dd9392a3a --- /dev/null +++ b/queue-6.6/kvm-svm-sync-tpr-from-lapic-into-vmcb-v_tpr-even-if-avic-is-active.patch @@ -0,0 +1,56 @@ +From d02e48830e3fce9701265f6c5a58d9bdaf906a76 Mon Sep 17 00:00:00 2001 +From: "Maciej S. Szmigiero" +Date: Mon, 25 Aug 2025 18:44:28 +0200 +Subject: KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active + +From: Maciej S. Szmigiero + +commit d02e48830e3fce9701265f6c5a58d9bdaf906a76 upstream. + +Commit 3bbf3565f48c ("svm: Do not intercept CR8 when enable AVIC") +inhibited pre-VMRUN sync of TPR from LAPIC into VMCB::V_TPR in +sync_lapic_to_cr8() when AVIC is active. + +AVIC does automatically sync between these two fields, however it does +so only on explicit guest writes to one of these fields, not on a bare +VMRUN. + +This meant that when AVIC is enabled host changes to TPR in the LAPIC +state might not get automatically copied into the V_TPR field of VMCB. + +This is especially true when it is the userspace setting LAPIC state via +KVM_SET_LAPIC ioctl() since userspace does not have access to the guest +VMCB. + +Practice shows that it is the V_TPR that is actually used by the AVIC to +decide whether to issue pending interrupts to the CPU (not TPR in TASKPRI), +so any leftover value in V_TPR will cause serious interrupt delivery issues +in the guest when AVIC is enabled. + +Fix this issue by doing pre-VMRUN TPR sync from LAPIC into VMCB::V_TPR +even when AVIC is enabled. + +Fixes: 3bbf3565f48c ("svm: Do not intercept CR8 when enable AVIC") +Cc: stable@vger.kernel.org +Signed-off-by: Maciej S. Szmigiero +Reviewed-by: Naveen N Rao (AMD) +Link: https://lore.kernel.org/r/c231be64280b1461e854e1ce3595d70cde3a2e9d.1756139678.git.maciej.szmigiero@oracle.com +[sean: tag for stable@] +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/svm.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -4029,8 +4029,7 @@ static inline void sync_lapic_to_cr8(str + struct vcpu_svm *svm = to_svm(vcpu); + u64 cr8; + +- if (nested_svm_virtualize_tpr(vcpu) || +- kvm_vcpu_apicv_active(vcpu)) ++ if (nested_svm_virtualize_tpr(vcpu)) + return; + + cr8 = kvm_get_cr8(vcpu); diff --git a/queue-6.6/loongarch-align-acpi-structures-if-arch_strict_align-enabled.patch b/queue-6.6/loongarch-align-acpi-structures-if-arch_strict_align-enabled.patch new file mode 100644 index 0000000000..a68db66fb2 --- /dev/null +++ b/queue-6.6/loongarch-align-acpi-structures-if-arch_strict_align-enabled.patch @@ -0,0 +1,41 @@ +From a9d13433fe17be0e867e51e71a1acd2731fbef8d Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 18 Sep 2025 19:44:01 +0800 +Subject: LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled + +From: Huacai Chen + +commit a9d13433fe17be0e867e51e71a1acd2731fbef8d upstream. + +ARCH_STRICT_ALIGN is used for hardware without UAL, now it only control +the -mstrict-align flag. However, ACPI structures are packed by default +so will cause unaligned accesses. + +To avoid this, define ACPI_MISALIGNMENT_NOT_SUPPORTED in asm/acenv.h to +align ACPI structures if ARCH_STRICT_ALIGN enabled. + +Cc: stable@vger.kernel.org +Reported-by: Binbin Zhou +Suggested-by: Xi Ruoyao +Suggested-by: Jiaxun Yang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/acenv.h | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/loongarch/include/asm/acenv.h ++++ b/arch/loongarch/include/asm/acenv.h +@@ -10,9 +10,8 @@ + #ifndef _ASM_LOONGARCH_ACENV_H + #define _ASM_LOONGARCH_ACENV_H + +-/* +- * This header is required by ACPI core, but we have nothing to fill in +- * right now. Will be updated later when needed. +- */ ++#ifdef CONFIG_ARCH_STRICT_ALIGN ++#define ACPI_MISALIGNMENT_NOT_SUPPORTED ++#endif /* CONFIG_ARCH_STRICT_ALIGN */ + + #endif /* _ASM_LOONGARCH_ACENV_H */ diff --git a/queue-6.6/loongarch-check-the-return-value-when-creating-kobj.patch b/queue-6.6/loongarch-check-the-return-value-when-creating-kobj.patch new file mode 100644 index 0000000000..7461f27dfd --- /dev/null +++ b/queue-6.6/loongarch-check-the-return-value-when-creating-kobj.patch @@ -0,0 +1,31 @@ +From 51adb03e6b865c0c6790f29659ff52d56742de2e Mon Sep 17 00:00:00 2001 +From: Tao Cui +Date: Thu, 18 Sep 2025 19:44:04 +0800 +Subject: LoongArch: Check the return value when creating kobj + +From: Tao Cui + +commit 51adb03e6b865c0c6790f29659ff52d56742de2e upstream. + +Add a check for the return value of kobject_create_and_add(), to ensure +that the kobj allocation succeeds for later use. + +Cc: stable@vger.kernel.org +Signed-off-by: Tao Cui +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/env.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/loongarch/kernel/env.c ++++ b/arch/loongarch/kernel/env.c +@@ -72,6 +72,8 @@ static int __init boardinfo_init(void) + struct kobject *loongson_kobj; + + loongson_kobj = kobject_create_and_add("loongson", firmware_kobj); ++ if (!loongson_kobj) ++ return -ENOMEM; + + return sysfs_create_file(loongson_kobj, &boardinfo_attr.attr); + } diff --git a/queue-6.6/loongarch-update-help-info-of-arch_strict_align.patch b/queue-6.6/loongarch-update-help-info-of-arch_strict_align.patch new file mode 100644 index 0000000000..a83e4e405c --- /dev/null +++ b/queue-6.6/loongarch-update-help-info-of-arch_strict_align.patch @@ -0,0 +1,43 @@ +From f5003098e2f337d8e8a87dc636250e3fa978d9ad Mon Sep 17 00:00:00 2001 +From: Tiezhu Yang +Date: Thu, 18 Sep 2025 19:43:42 +0800 +Subject: LoongArch: Update help info of ARCH_STRICT_ALIGN + +From: Tiezhu Yang + +commit f5003098e2f337d8e8a87dc636250e3fa978d9ad upstream. + +Loongson-3A6000 and 3C6000 CPUs also support unaligned memory access, so +the current description is out of date to some extent. + +Actually, all of Loongson-3 series processors based on LoongArch support +unaligned memory access, this hardware capability is indicated by the bit +20 (UAL) of CPUCFG1 register, update the help info to reflect the reality. + +Cc: stable@vger.kernel.org +Signed-off-by: Tiezhu Yang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/Kconfig | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/loongarch/Kconfig ++++ b/arch/loongarch/Kconfig +@@ -503,10 +503,14 @@ config ARCH_STRICT_ALIGN + -mstrict-align build parameter to prevent unaligned accesses. + + CPUs with h/w unaligned access support: +- Loongson-2K2000/2K3000/3A5000/3C5000/3D5000. ++ Loongson-2K2000/2K3000 and all of Loongson-3 series processors ++ based on LoongArch. + + CPUs without h/w unaligned access support: +- Loongson-2K500/2K1000. ++ Loongson-2K0300/2K0500/2K1000. ++ ++ If you want to make sure whether to support unaligned memory access ++ on your hardware, please read the bit 20 (UAL) of CPUCFG1 register. + + This option is enabled by default to make the kernel be able to run + on all LoongArch systems. But you can disable it manually if you want diff --git a/queue-6.6/mmc-mvsdio-fix-dma_unmap_sg-nents-value.patch b/queue-6.6/mmc-mvsdio-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..d3706bdb10 --- /dev/null +++ b/queue-6.6/mmc-mvsdio-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,33 @@ +From 8ab2f1c35669bff7d7ed1bb16bf5cc989b3e2e17 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Tue, 26 Aug 2025 09:58:08 +0200 +Subject: mmc: mvsdio: Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +commit 8ab2f1c35669bff7d7ed1bb16bf5cc989b3e2e17 upstream. + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: 236caa7cc351 ("mmc: SDIO driver for Marvell SoCs") +Signed-off-by: Thomas Fourier +Reviewed-by: Linus Walleij +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mvsdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/mvsdio.c ++++ b/drivers/mmc/host/mvsdio.c +@@ -292,7 +292,7 @@ static u32 mvsd_finish_data(struct mvsd_ + host->pio_ptr = NULL; + host->pio_size = 0; + } else { +- dma_unmap_sg(mmc_dev(host->mmc), data->sg, host->sg_frags, ++ dma_unmap_sg(mmc_dev(host->mmc), data->sg, data->sg_len, + mmc_get_dma_dir(data)); + } + diff --git a/queue-6.6/net-rfkill-gpio-fix-crash-due-to-dereferencering-uninitialized-pointer.patch b/queue-6.6/net-rfkill-gpio-fix-crash-due-to-dereferencering-uninitialized-pointer.patch new file mode 100644 index 0000000000..4fcd02896b --- /dev/null +++ b/queue-6.6/net-rfkill-gpio-fix-crash-due-to-dereferencering-uninitialized-pointer.patch @@ -0,0 +1,56 @@ +From b6f56a44e4c1014b08859dcf04ed246500e310e5 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 13 Sep 2025 13:35:15 +0200 +Subject: net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer + +From: Hans de Goede + +commit b6f56a44e4c1014b08859dcf04ed246500e310e5 upstream. + +Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from +device property") rfkill_find_type() gets called with the possibly +uninitialized "const char *type_name;" local variable. + +On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752" +acpi_device, the rfkill->type is set based on the ACPI acpi_device_id: + + rfkill->type = (unsigned)id->driver_data; + +and there is no "type" property so device_property_read_string() will fail +and leave type_name uninitialized, leading to a potential crash. + +rfkill_find_type() does accept a NULL pointer, fix the potential crash +by initializing type_name to NULL. + +Note likely sofar this has not been caught because: + +1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device +2. The stack happened to contain NULL where type_name is stored + +Fixes: 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") +Cc: stable@vger.kernel.org +Cc: Heikki Krogerus +Signed-off-by: Hans de Goede +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/20250913113515.21698-1-hansg@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/rfkill/rfkill-gpio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/rfkill/rfkill-gpio.c ++++ b/net/rfkill/rfkill-gpio.c +@@ -79,10 +79,10 @@ static int rfkill_gpio_acpi_probe(struct + static int rfkill_gpio_probe(struct platform_device *pdev) + { + struct rfkill_gpio_data *rfkill; +- struct gpio_desc *gpio; ++ const char *type_name = NULL; + const char *name_property; + const char *type_property; +- const char *type_name; ++ struct gpio_desc *gpio; + int ret; + + rfkill = devm_kzalloc(&pdev->dev, sizeof(*rfkill), GFP_KERNEL); diff --git a/queue-6.6/nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch b/queue-6.6/nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch new file mode 100644 index 0000000000..dcbce1f4a3 --- /dev/null +++ b/queue-6.6/nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch @@ -0,0 +1,95 @@ +From 025e87f8ea2ae3a28bf1fe2b052bfa412c27ed4a Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Sat, 6 Sep 2025 23:43:34 +0900 +Subject: nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* + +From: Nathan Chancellor + +commit 025e87f8ea2ae3a28bf1fe2b052bfa412c27ed4a upstream. + +When accessing one of the files under /sys/fs/nilfs2/features when +CONFIG_CFI_CLANG is enabled, there is a CFI violation: + + CFI failure at kobj_attr_show+0x59/0x80 (target: nilfs_feature_revision_show+0x0/0x30; expected type: 0xfc392c4d) + ... + Call Trace: + + sysfs_kf_seq_show+0x2a6/0x390 + ? __cfi_kobj_attr_show+0x10/0x10 + kernfs_seq_show+0x104/0x15b + seq_read_iter+0x580/0xe2b + ... + +When the kobject of the kset for /sys/fs/nilfs2 is initialized, its ktype +is set to kset_ktype, which has a ->sysfs_ops of kobj_sysfs_ops. When +nilfs_feature_attr_group is added to that kobject via +sysfs_create_group(), the kernfs_ops of each files is sysfs_file_kfops_rw, +which will call sysfs_kf_seq_show() when ->seq_show() is called. +sysfs_kf_seq_show() in turn calls kobj_attr_show() through +->sysfs_ops->show(). kobj_attr_show() casts the provided attribute out to +a 'struct kobj_attribute' via container_of() and calls ->show(), resulting +in the CFI violation since neither nilfs_feature_revision_show() nor +nilfs_feature_README_show() match the prototype of ->show() in 'struct +kobj_attribute'. + +Resolve the CFI violation by adjusting the second parameter in +nilfs_feature_{revision,README}_show() from 'struct attribute' to 'struct +kobj_attribute' to match the expected prototype. + +Link: https://lkml.kernel.org/r/20250906144410.22511-1-konishi.ryusuke@gmail.com +Fixes: aebe17f68444 ("nilfs2: add /sys/fs/nilfs2/features group") +Signed-off-by: Nathan Chancellor +Signed-off-by: Ryusuke Konishi +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202509021646.bc78d9ef-lkp@intel.com/ +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/sysfs.c | 4 ++-- + fs/nilfs2/sysfs.h | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -1075,7 +1075,7 @@ void nilfs_sysfs_delete_device_group(str + ************************************************************************/ + + static ssize_t nilfs_feature_revision_show(struct kobject *kobj, +- struct attribute *attr, char *buf) ++ struct kobj_attribute *attr, char *buf) + { + return sysfs_emit(buf, "%d.%d\n", + NILFS_CURRENT_REV, NILFS_MINOR_REV); +@@ -1087,7 +1087,7 @@ static const char features_readme_str[] + "(1) revision\n\tshow current revision of NILFS file system driver.\n"; + + static ssize_t nilfs_feature_README_show(struct kobject *kobj, +- struct attribute *attr, ++ struct kobj_attribute *attr, + char *buf) + { + return sysfs_emit(buf, features_readme_str); +--- a/fs/nilfs2/sysfs.h ++++ b/fs/nilfs2/sysfs.h +@@ -50,16 +50,16 @@ struct nilfs_sysfs_dev_subgroups { + struct completion sg_segments_kobj_unregister; + }; + +-#define NILFS_COMMON_ATTR_STRUCT(name) \ ++#define NILFS_KOBJ_ATTR_STRUCT(name) \ + struct nilfs_##name##_attr { \ + struct attribute attr; \ +- ssize_t (*show)(struct kobject *, struct attribute *, \ ++ ssize_t (*show)(struct kobject *, struct kobj_attribute *, \ + char *); \ +- ssize_t (*store)(struct kobject *, struct attribute *, \ ++ ssize_t (*store)(struct kobject *, struct kobj_attribute *, \ + const char *, size_t); \ + } + +-NILFS_COMMON_ATTR_STRUCT(feature); ++NILFS_KOBJ_ATTR_STRUCT(feature); + + #define NILFS_DEV_ATTR_STRUCT(name) \ + struct nilfs_##name##_attr { \ diff --git a/queue-6.6/power-supply-bq27xxx-fix-error-return-in-case-of-no-bq27000-hdq-battery.patch b/queue-6.6/power-supply-bq27xxx-fix-error-return-in-case-of-no-bq27000-hdq-battery.patch new file mode 100644 index 0000000000..6cd472981b --- /dev/null +++ b/queue-6.6/power-supply-bq27xxx-fix-error-return-in-case-of-no-bq27000-hdq-battery.patch @@ -0,0 +1,66 @@ +From 2c334d038466ac509468fbe06905a32d202117db Mon Sep 17 00:00:00 2001 +From: "H. Nikolaus Schaller" +Date: Sat, 23 Aug 2025 12:34:56 +0200 +Subject: power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery + +From: H. Nikolaus Schaller + +commit 2c334d038466ac509468fbe06905a32d202117db upstream. + +Since commit + + commit f16d9fb6cf03 ("power: supply: bq27xxx: Retrieve again when busy") + +the console log of some devices with hdq enabled but no bq27000 battery +(like e.g. the Pandaboard) is flooded with messages like: + +[ 34.247833] power_supply bq27000-battery: driver failed to report 'status' property: -1 + +as soon as user-space is finding a /sys entry and trying to read the +"status" property. + +It turns out that the offending commit changes the logic to now return the +value of cache.flags if it is <0. This is likely under the assumption that +it is an error number. In normal errors from bq27xxx_read() this is indeed +the case. + +But there is special code to detect if no bq27000 is installed or accessible +through hdq/1wire and wants to report this. In that case, the cache.flags +are set historically by + + commit 3dd843e1c26a ("bq27000: report missing device better.") + +to constant -1 which did make reading properties return -ENODEV. So everything +appeared to be fine before the return value was passed upwards. + +Now the -1 is returned as -EPERM instead of -ENODEV, triggering the error +condition in power_supply_format_property() which then floods the console log. + +So we change the detection of missing bq27000 battery to simply set + + cache.flags = -ENODEV + +instead of -1. + +Fixes: f16d9fb6cf03 ("power: supply: bq27xxx: Retrieve again when busy") +Cc: Jerry Lv +Cc: stable@vger.kernel.org +Signed-off-by: H. Nikolaus Schaller +Link: https://lore.kernel.org/r/692f79eb6fd541adb397038ea6e750d4de2deddf.1755945297.git.hns@goldelico.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1873,7 +1873,7 @@ static void bq27xxx_battery_update_unloc + + cache.flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, has_singe_flag); + if ((cache.flags & 0xff) == 0xff) +- cache.flags = -1; /* read error */ ++ cache.flags = -ENODEV; /* read error */ + if (cache.flags >= 0) { + cache.temperature = bq27xxx_battery_read_temperature(di); + if (di->regs[BQ27XXX_REG_TTE] != INVALID_REG_ADDR) diff --git a/queue-6.6/power-supply-bq27xxx-restrict-no-battery-detection-to-bq27000.patch b/queue-6.6/power-supply-bq27xxx-restrict-no-battery-detection-to-bq27000.patch new file mode 100644 index 0000000000..412fff9fb4 --- /dev/null +++ b/queue-6.6/power-supply-bq27xxx-restrict-no-battery-detection-to-bq27000.patch @@ -0,0 +1,48 @@ +From 1e451977e1703b6db072719b37cd1b8e250b9cc9 Mon Sep 17 00:00:00 2001 +From: "H. Nikolaus Schaller" +Date: Sat, 23 Aug 2025 12:34:57 +0200 +Subject: power: supply: bq27xxx: restrict no-battery detection to bq27000 + +From: H. Nikolaus Schaller + +commit 1e451977e1703b6db072719b37cd1b8e250b9cc9 upstream. + +There are fuel gauges in the bq27xxx series (e.g. bq27z561) which may in some +cases report 0xff as the value of BQ27XXX_REG_FLAGS that should not be +interpreted as "no battery" like for a disconnected battery with some built +in bq27000 chip. + +So restrict the no-battery detection originally introduced by + + commit 3dd843e1c26a ("bq27000: report missing device better.") + +to the bq27000. + +There is no need to backport further because this was hidden before + + commit f16d9fb6cf03 ("power: supply: bq27xxx: Retrieve again when busy") + +Fixes: f16d9fb6cf03 ("power: supply: bq27xxx: Retrieve again when busy") +Suggested-by: Jerry Lv +Cc: stable@vger.kernel.org +Signed-off-by: H. Nikolaus Schaller +Link: https://lore.kernel.org/r/dd979fa6855fd051ee5117016c58daaa05966e24.1755945297.git.hns@goldelico.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1872,8 +1872,8 @@ static void bq27xxx_battery_update_unloc + bool has_singe_flag = di->opts & BQ27XXX_O_ZERO; + + cache.flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, has_singe_flag); +- if ((cache.flags & 0xff) == 0xff) +- cache.flags = -ENODEV; /* read error */ ++ if (di->chip == BQ27000 && (cache.flags & 0xff) == 0xff) ++ cache.flags = -ENODEV; /* bq27000 hdq read error */ + if (cache.flags >= 0) { + cache.temperature = bq27xxx_battery_read_temperature(di); + if (di->regs[BQ27XXX_REG_TTE] != INVALID_REG_ADDR) diff --git a/queue-6.6/rds-ib-increment-i_fastreg_wrs-before-bailing-out.patch b/queue-6.6/rds-ib-increment-i_fastreg_wrs-before-bailing-out.patch new file mode 100644 index 0000000000..dbc9e3d729 --- /dev/null +++ b/queue-6.6/rds-ib-increment-i_fastreg_wrs-before-bailing-out.patch @@ -0,0 +1,82 @@ +From 4351ca3fcb3ffecf12631b4996bf085a2dad0db6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?H=C3=A5kon=20Bugge?= +Date: Thu, 11 Sep 2025 15:33:34 +0200 +Subject: rds: ib: Increment i_fastreg_wrs before bailing out +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: HÃ¥kon Bugge + +commit 4351ca3fcb3ffecf12631b4996bf085a2dad0db6 upstream. + +We need to increment i_fastreg_wrs before we bail out from +rds_ib_post_reg_frmr(). + +We have a fixed budget of how many FRWR operations that can be +outstanding using the dedicated QP used for memory registrations and +de-registrations. This budget is enforced by the atomic_t +i_fastreg_wrs. If we bail out early in rds_ib_post_reg_frmr(), we will +"leak" the possibility of posting an FRWR operation, and if that +accumulates, no FRWR operation can be carried out. + +Fixes: 1659185fb4d0 ("RDS: IB: Support Fastreg MR (FRMR) memory registration mode") +Fixes: 3a2886cca703 ("net/rds: Keep track of and wait for FRWR segments in use upon shutdown") +Cc: stable@vger.kernel.org +Signed-off-by: HÃ¥kon Bugge +Reviewed-by: Allison Henderson +Link: https://patch.msgid.link/20250911133336.451212-1-haakon.bugge@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib_frmr.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/net/rds/ib_frmr.c ++++ b/net/rds/ib_frmr.c +@@ -133,12 +133,15 @@ static int rds_ib_post_reg_frmr(struct r + + ret = ib_map_mr_sg_zbva(frmr->mr, ibmr->sg, ibmr->sg_dma_len, + &off, PAGE_SIZE); +- if (unlikely(ret != ibmr->sg_dma_len)) +- return ret < 0 ? ret : -EINVAL; ++ if (unlikely(ret != ibmr->sg_dma_len)) { ++ ret = ret < 0 ? ret : -EINVAL; ++ goto out_inc; ++ } + +- if (cmpxchg(&frmr->fr_state, +- FRMR_IS_FREE, FRMR_IS_INUSE) != FRMR_IS_FREE) +- return -EBUSY; ++ if (cmpxchg(&frmr->fr_state, FRMR_IS_FREE, FRMR_IS_INUSE) != FRMR_IS_FREE) { ++ ret = -EBUSY; ++ goto out_inc; ++ } + + atomic_inc(&ibmr->ic->i_fastreg_inuse_count); + +@@ -166,11 +169,10 @@ static int rds_ib_post_reg_frmr(struct r + /* Failure here can be because of -ENOMEM as well */ + rds_transition_frwr_state(ibmr, FRMR_IS_INUSE, FRMR_IS_STALE); + +- atomic_inc(&ibmr->ic->i_fastreg_wrs); + if (printk_ratelimit()) + pr_warn("RDS/IB: %s returned error(%d)\n", + __func__, ret); +- goto out; ++ goto out_inc; + } + + /* Wait for the registration to complete in order to prevent an invalid +@@ -179,8 +181,10 @@ static int rds_ib_post_reg_frmr(struct r + */ + wait_event(frmr->fr_reg_done, !frmr->fr_reg); + +-out: ++ return ret; + ++out_inc: ++ atomic_inc(&ibmr->ic->i_fastreg_wrs); + return ret; + } + diff --git a/queue-6.6/selftests-mptcp-avoid-spurious-errors-on-tcp-disconnect.patch b/queue-6.6/selftests-mptcp-avoid-spurious-errors-on-tcp-disconnect.patch new file mode 100644 index 0000000000..d24cc8be70 --- /dev/null +++ b/queue-6.6/selftests-mptcp-avoid-spurious-errors-on-tcp-disconnect.patch @@ -0,0 +1,93 @@ +From 8708c5d8b3fb3f6d5d3b9e6bfe01a505819f519a Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Fri, 12 Sep 2025 14:25:52 +0200 +Subject: selftests: mptcp: avoid spurious errors on TCP disconnect + +From: Matthieu Baerts (NGI0) + +commit 8708c5d8b3fb3f6d5d3b9e6bfe01a505819f519a upstream. + +The disconnect test-case, with 'plain' TCP sockets generates spurious +errors, e.g. + + 07 ns1 TCP -> ns1 (dead:beef:1::1:10006) MPTCP + read: Connection reset by peer + read: Connection reset by peer + (duration 155ms) [FAIL] client exit code 3, server 3 + + netns ns1-FloSdv (listener) socket stat for 10006: + TcpActiveOpens 2 0.0 + TcpPassiveOpens 2 0.0 + TcpEstabResets 2 0.0 + TcpInSegs 274 0.0 + TcpOutSegs 276 0.0 + TcpOutRsts 3 0.0 + TcpExtPruneCalled 2 0.0 + TcpExtRcvPruned 1 0.0 + TcpExtTCPPureAcks 104 0.0 + TcpExtTCPRcvCollapsed 2 0.0 + TcpExtTCPBacklogCoalesce 42 0.0 + TcpExtTCPRcvCoalesce 43 0.0 + TcpExtTCPChallengeACK 1 0.0 + TcpExtTCPFromZeroWindowAdv 42 0.0 + TcpExtTCPToZeroWindowAdv 41 0.0 + TcpExtTCPWantZeroWindowAdv 13 0.0 + TcpExtTCPOrigDataSent 164 0.0 + TcpExtTCPDelivered 165 0.0 + TcpExtTCPRcvQDrop 1 0.0 + +In the failing scenarios (TCP -> MPTCP), the involved sockets are +actually plain TCP ones, as fallbacks for passive sockets at 2WHS time +cause the MPTCP listeners to actually create 'plain' TCP sockets. + +Similar to commit 218cc166321f ("selftests: mptcp: avoid spurious errors +on disconnect"), the root cause is in the user-space bits: the test +program tries to disconnect as soon as all the pending data has been +spooled, generating an RST. If such option reaches the peer before the +connection has reached the closed status, the TCP socket will report an +error to the user-space, as per protocol specification, causing the +above failure. Note that it looks like this issue got more visible since +the "tcp: receiver changes" series from commit 06baf9bfa6ca ("Merge +branch 'tcp-receiver-changes'"). + +Address the issue by explicitly waiting for the TCP sockets (-t) to +reach a closed status before performing the disconnect. More precisely, +the test program now waits for plain TCP sockets or TCP subflows in +addition to the MPTCP sockets that were already monitored. + +While at it, use 'ss' with '-n' to avoid resolving service names, which +is not needed here. + +Fixes: 218cc166321f ("selftests: mptcp: avoid spurious errors on disconnect") +Cc: stable@vger.kernel.org +Suggested-by: Paolo Abeni +Reviewed-by: Mat Martineau +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250912-net-mptcp-fix-sft-connect-v1-3-d40e77cbbf02@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_connect.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c +@@ -1234,7 +1234,7 @@ void xdisconnect(int fd) + else + xerror("bad family"); + +- strcpy(cmd, "ss -M | grep -q "); ++ strcpy(cmd, "ss -Mnt | grep -q "); + cmdlen = strlen(cmd); + if (!inet_ntop(addr.ss_family, raw_addr, &cmd[cmdlen], + sizeof(cmd) - cmdlen)) +@@ -1244,7 +1244,7 @@ void xdisconnect(int fd) + + /* + * wait until the pending data is completely flushed and all +- * the MPTCP sockets reached the closed status. ++ * the sockets reached the closed status. + * disconnect will bypass/ignore/drop any pending data. + */ + for (i = 0; ; i += msec_sleep) { diff --git a/queue-6.6/selftests-mptcp-connect-catch-io-errors-on-listen-side.patch b/queue-6.6/selftests-mptcp-connect-catch-io-errors-on-listen-side.patch new file mode 100644 index 0000000000..2e545e3c23 --- /dev/null +++ b/queue-6.6/selftests-mptcp-connect-catch-io-errors-on-listen-side.patch @@ -0,0 +1,71 @@ +From 14e22b43df25dbd4301351b882486ea38892ae4f Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Fri, 12 Sep 2025 14:25:51 +0200 +Subject: selftests: mptcp: connect: catch IO errors on listen side + +From: Matthieu Baerts (NGI0) + +commit 14e22b43df25dbd4301351b882486ea38892ae4f upstream. + +IO errors were correctly printed to stderr, and propagated up to the +main loop for the server side, but the returned value was ignored. As a +consequence, the program for the listener side was no longer exiting +with an error code in case of IO issues. + +Because of that, some issues might not have been seen. But very likely, +most issues either had an effect on the client side, or the file +transfer was not the expected one, e.g. the connection got reset before +the end. Still, it is better to fix this. + +The main consequence of this issue is the error that was reported by the +selftests: the received and sent files were different, and the MIB +counters were not printed. Also, when such errors happened during the +'disconnect' tests, the program tried to continue until the timeout. + +Now when an IO error is detected, the program exits directly with an +error. + +Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250912-net-mptcp-fix-sft-connect-v1-2-d40e77cbbf02@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_connect.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c +@@ -1079,6 +1079,7 @@ int main_loop_s(int listensock) + struct pollfd polls; + socklen_t salen; + int remotesock; ++ int err = 0; + int fd = 0; + + again: +@@ -1111,7 +1112,7 @@ again: + SOCK_TEST_TCPULP(remotesock, 0); + + memset(&winfo, 0, sizeof(winfo)); +- copyfd_io(fd, remotesock, 1, true, &winfo); ++ err = copyfd_io(fd, remotesock, 1, true, &winfo); + } else { + perror("accept"); + return 1; +@@ -1120,10 +1121,10 @@ again: + if (cfg_input) + close(fd); + +- if (--cfg_repeat > 0) ++ if (!err && --cfg_repeat > 0) + goto again; + +- return 0; ++ return err; + } + + static void init_rng(void) diff --git a/queue-6.6/series b/queue-6.6/series index 64e2a6abaf..973cc797e5 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -23,3 +23,26 @@ revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch +ksmbd-smbdirect-validate-data_offset-and-data_length-field-of-smb_direct_data_transfer.patch +ksmbd-smbdirect-verify-remaining_data_length-respects-max_fragmented_recv_size.patch +nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch +crypto-af_alg-disallow-concurrent-writes-in-af_alg_sendmsg.patch +power-supply-bq27xxx-fix-error-return-in-case-of-no-bq27000-hdq-battery.patch +power-supply-bq27xxx-restrict-no-battery-detection-to-bq27000.patch +loongarch-update-help-info-of-arch_strict_align.patch +loongarch-align-acpi-structures-if-arch_strict_align-enabled.patch +loongarch-check-the-return-value-when-creating-kobj.patch +iommu-vt-d-fix-__domain_mapping-s-usage-of-switch_to_super_page.patch +btrfs-tree-checker-fix-the-incorrect-inode-ref-size-check.patch +asoc-qcom-audioreach-fix-lpaif_type-configuration-for-the-i2s-interface.patch +asoc-qcom-q6apm-lpass-dais-fix-null-pointer-dereference-if-source-graph-failed.patch +asoc-qcom-q6apm-lpass-dais-fix-missing-set_fmt-dai-op-for-i2s.patch +mmc-mvsdio-fix-dma_unmap_sg-nents-value.patch +kvm-svm-sync-tpr-from-lapic-into-vmcb-v_tpr-even-if-avic-is-active.patch +net-rfkill-gpio-fix-crash-due-to-dereferencering-uninitialized-pointer.patch +rds-ib-increment-i_fastreg_wrs-before-bailing-out.patch +selftests-mptcp-connect-catch-io-errors-on-listen-side.patch +selftests-mptcp-avoid-spurious-errors-on-tcp-disconnect.patch +alsa-hda-realtek-fix-mute-led-for-hp-laptop-15-dw4xx.patch +io_uring-backport-io_should_terminate_tw.patch +io_uring-include-dying-ring-in-task_work-should-cancel-state.patch -- 2.47.3